Recent studies have shown that attackers can catastrophically reduce the performance of GNNs by maliciously modifying the graph structure or node features on the graph. Adversarial training, which has been shown to be one of the most effective defense mechanisms against adversarial attacks in computer vision, holds great promise for enhancing the robustness of GNNs. There is limited research on defending against attacks by performing adversarial training on graphs, and it is crucial to delve deeper into this approach to optimize its effectiveness. Therefore, based on robust adversarial training on graphs, we propose a hierarchical constraint refinement framework (HC-Ref) that enhances the anti-perturbation capabilities of GNNs and downstream classifiers separately, ultimately leading to improved robustness. We propose corresponding adversarial regularization terms that are conducive to adaptively narrowing the domain gap between the normal part and the perturbation part according to the characteristics of different layers, promoting the smoothness of the predicted distribution of both parts. Moreover, existing research on graph robust adversarial training primarily concentrates on training from the standpoint of node feature perturbations and seldom takes into account alterations in the graph structure. This limitation makes it challenging to prevent attacks based on topological changes in the graph. This paper generates adversarial examples by utilizing graph structure perturbations, offering an effective approach to defend against attack methods that are based on topological changes. Extensive experiments on two real-world graph benchmarks show that HC-Ref successfully resists various attacks and has better node classification performance compared to several baseline methods.

翻译：近年研究表明，攻击者可通过恶意篡改图结构或节点特征，严重降低图神经网络（GNN）的性能。对抗训练作为计算机视觉领域最有效的防御机制之一，在提升GNN鲁棒性方面展现出巨大潜力。目前针对图对抗训练的防御研究尚不充分，深入探索该方法以优化其有效性至关重要。为此，本文基于图的鲁棒对抗训练，提出分层约束精炼框架（HC-Ref），该框架分别增强GNN和下游分类器的抗扰动能力，最终实现鲁棒性的整体提升。我们提出相应的对抗正则化项，根据不同层特性自适应缩窄正常部分与扰动部分之间的域差异，促进两部分预测分布的平滑性。此外，现有图鲁棒对抗训练研究主要从节点特征扰动角度进行训练，鲜少考虑图结构的变化，这使得难以防御基于图拓扑变化的攻击。本文通过利用图结构扰动生成对抗样本，为防御基于拓扑变化的攻击方法提供了有效途径。在两个真实图基准上的大量实验表明，与多种基线方法相比，HC-Ref能够成功抵御各类攻击，并具有更优的节点分类性能。